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Abstract. By algorithmic metatheorems for a model checking problem 
P over infinite-state systems we mean generic results that can be used to 
infer decidability (possibly complexity) of P not only over a specific class 
of infinite systems, but over a large family of classes of infinite systems. 
Such results normally start with a powerful formalism F of infinite-state 
systems, over which P is undecidable, and assert decidability when is re- 
stricted by means of an extra "semantic condition" C . We prove various 
algorithmic metatheorems for the problems of model checking LTL and 
its two common fragments LTL(F S , G s ) and LTLdet over the expressive 
class of word/tree automatic transition systems, which are generated by 
synchronized finite-state transducers operating on finite words and trees. 
We present numerous applications, where we derive (in a unified man- 
ner) many known and previously unknown decidability and complexity 
results of model checking LTL and its fragments over specific classes of 
infinite-state systems including pushdown systems; prefix-recognizable 
systems; reversal- bounded counter systems with discrete clocks and a 
free counter; concurrent pushdown systems with a bounded number of 
context-switches; various subclasses of Petri nets; weakly extended PA- 
processes; and weakly extended ground-tree rewrite systems. In all cases, 
we are able to derive optimal (or near optimal) complexity. Finally, we 
pinpoint the exact locations in the arithmetic and analytic hierarchies 
of the problem of checking a relevant semantic condition and the LTL 
model checking problems over all word/tree automatic systems. 



1 Introduction 

The study of model checking over infinite-state systems is now an active research 
area. This can be justified by the plethora of real-world scenarios that can be 
more conveniently modeled using infinite-state systems rather than finite-state 
systems, e.g., those that typically arise as programs with unbounded data struc- 
tures (including stacks, lists, and FIFO queues), numeric variables, and clocks. 
To make sense of the problem of verifying infinite-state systems, the systems un- 
der consideration need to have some finite representations, e.g., timed automata, 
pushdown automata, counter machines, Turing machines, and so forth. Unlike 
in the case of finite systems, model checking even the most basic properties, 
such as safety and liveness, is already undecidable over infinite-state systems 
in general. For this reason, one either adopts non- Turing-powerful formalisms 
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which admit decidability or resorts to semi-algorithms for general formalisms. 
Examples of formalisms that admit certain decidable model checking problems 
include pushdown automata [9], higher-order pushdown automata [20], Petri 
nets [9], timed automata [3], lossy channel systems [1,4], certain subclasses of 
counter machines [11, 21, 24], and classes of term/tree rewrite systems [9, 25, 31], 
to name a few. On the other hand, various notions of finite-state transducers on 
words/trees [2, 7, 12, 15, 29, 34] and certain extensions of counter machines [6, 11] 
have emerged as popular general (Turing-powerful) frameworks of infinite-state 
model checking, for some of which semi-algorithmic approaches to verifying ba- 
sic model checking properties, including safety and liveness, have been proposed 
(e.g. see [2,6,8] and references therein). 

The vast literature of infinite-state model checking in the past decade or 
so can be extremely daunting and easily obscure proof patterns that can be 
reused with ease to obtain model checking decidability results for seemingly un- 
related formalisms of infinite-state systems. This issue motivates the study of 
algorithmic metatheorems for infinite-state model checking, which are generic 
results that can be used in a "plug-and-play" manner for inferring decidability 
of certain model checking tasks over a large family of formalisms of infinite-state 
systems, instead of doing so for a single formalism at a time. Of course the con- 
cept of algorithmic metatheorems is not new; the classical decidability of S2S 
can be viewed as such for MSO model-checking, due to its wide applicability 
via the method of interpretations. Other results of this nature include results on 
flat counter machines [11,24], well-structured transition systems [4, 17], and the 
extension of the S2S result to Caucal hierarchy [33]. In the finite case, algorith- 
mic metatheorems are used extensively to obtain good algorithmic bounds for 
evaluating logical formulae over finite structures [19]. 

In this paper we study generic algorithmic metatheorems for designing ef- 
ficient algorithms for model checking LTL, together with two of its commonly 
considered fragments LTL(F S ,G S ) [31,32] and LTLdct [27], over infinite-state 
systems. Our choice of logic is justified by the fact that LTL, LTL(F S , G s ), and 
LTLdct can express frequently checked properties including safety and liveness, 
and that their model checking problem have been frequently studied in the set- 
ting of infinite-state systems (e.g. [8, 9, 22, 31]). We will use as our framework the 
expressive class of word/tree automatic transition systems [7,15,34], which are 
generated by synchronized rational transducers [12, 15] over finite words and fi- 
nite ranked trees. Such systems subsume many important decidable formalisms, 
including many which we previously mentioned and others, and still possess de- 
sirable closure and decidability properties (e.g. see [7, 12]), many of which are not 
satisfied by the general class of rational transducers on words [29] . Since verifying 
safety and liveness are in general undecidable over automatic transition systems 
[7], we will study various "semantic restrictions" for ensuring decidability of 
LTL, LTL(F S , G s ), or LTLdct, without unnecessarily sacrificing applicability and 
algorithmic efficiency. 

Contributions We identify semantic conditions on word/tree automatic tran- 
sition systems that let us conclude decidability (and complexity) of model- 
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checking. We start with a condition (CI) stating that the reachability relation 
is effectively computable and given by a synchronized rational word/tree trans- 
ducer. There are many examples of classes of systems satisfying this condition 
(e.g. see Section 4 and Table 1) Another condition (C2) says that a class of 
systems is closed under products with finite systems. We show that under (CI) 
and (C2), LTL model-checking is decidable with good complexity bounds: ex- 
ponential in the formula, and polynomial in the size of the input automatic 
presentation of the system, assuming an oracle for computing the reachability 
relation. 

While many classes of systems satisfy (CI), extending it to products (con- 
dition (C2)) could be problematic. Thus, we study various weakening of (C2) 
that could be used to obtain metatheorems for fragments of LTL. In this paper, 
we look at the following fragments: (1) LTL(F S ,G S ) with only strict F and G 
operators, and (2) LTLdet of [27]. We show that restricting to (C2) to closure 
under products with dag-like finite systems, or dropping (C2) altogether at the 
expense of a slightly worse complexity bound, decidability (and complexity) re- 
sults for LTL(F S ,G S ) and LTLdot model checking could be retained. We also 
look at variations of these results for Presburger-definablc infinite systems. 

We then turn to applications, and show how our metatheorems can be used 
to derive (in a unified manner) known asymptotic upper bounds for LTL model- 
checking over some classes of systems, or produce new (or improved) complexity 
bounds for LTL and its fragment over other classes. Our results are summarized 
in Table 1. 

Finally, we study the degrees of undecidability for the model checking prob- 
lem and the problem of checking a relevant semantic condition over all word/tree 
automatic transition systems. We point out their locations in the arithmetic and 
analytic hierarchies. 

Organization Definitions and notations are given in Section 2. Metatheorems 
are presented in Section 3. Applications are given in Section 4. Undecidability 
results are described in Section 5. Due to space limitations, proofs are relegated 
into the appendix, which can be requested from the authors. 

Related Work The study of logical structures generated by finite-state automata 
and transducers can be traced far back (e.g., [15]). Since then, various models of 
finite-state automata and transducers have been studied, e.g., rational transduc- 
ers on words (cf. [5,29]), synchronized rational transducers on words and trees 
(cf. [5, 7, 12, 34]), synchronized rational transducers on infinite words and infinite 
trees (cf. [5, 7, 8]), and length-preserving synchronized rational transducers on fi- 
nite words (cf. [2]). See [5] for a detailed comparison of their expressive power. 
In this paper we are concerned only with synchronized rational transducers on 
finite words and trees. In the case of length-preserving rational transducers on 
finite words, it is easy to show that LTL model checking is decidable under con- 
dition (CI) and (C2) (cf. [2]). The difficulty of extending this result to (not 
necessarily length-preserving) synchronized rational transducers on finite words 
lies in the fact that one has to deal with genuinely infinite execution paths, which 
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do not visit two states twice, in the transition systems. Such paths do not exist 
when the length-preserving restriction is imposed on the transducers. 

It is natural to ask whether our results hold in the case of the more general 
class of rational transducers or synchronized rational transducers on w-words 
(they are actually incomparable [5] ) . We do not know the answer to this question 
and leave this for future work. We also mention the paper [8] , which offers a semi- 
algorithmic approach to handling LTL model checking over systems generated 
by deterministic-weak synchronized rational transducers on w-words. Finally, we 
mention that even though the aforementioned notions of transducers are Turing- 
powerful, they cannot capture all transition systems generated by higher-order 
pushdown systems (cf. [5,20]). 

2 Preliminaries 

Transition systems, reachability, and recurrent reachability Let ACT 

be a finite set of action labels. A transition system over ACT is given as S = 
(S, (^ a )ae act), where S is a set of states and each — > a is a binary relation on 
S, i.e., a subset of S x S. The set S is not required to be finite. We write — ► 
for the union of all transition relations — (a G ACT) and (rcsp. — ►*) to 
denote the transitive (resp. transitive-reflexive) closure of — 

Given a transition system S = (S, (^ a )aeACT) and a set A C S, by 
Reach 00 (S, X) we denote the set of states s G S from which there exists an 
infinite execution path in S visiting X infinitely often, i.e., there exists an infinite 
sequence s — ►+ s Si s 2 ... so that Sj G X for all i > 0. We refer 
to these sets as recurrent reachability sets. 

Automata and transducers We assume basic familiarity with automata 
on finite and w-words. Let S be a finite alphabet. Given an automaton A = 
(Q, S, qo, F) with states Q, initial state qo, final states F and transition function 
5, a run of A on w = ai . . . a n (with n < u>) is a function p : {0, . . . , n} — > Q with 
p(0) = qo that obeys S, i.e. p(i + 1) G S(p{i) 1 a i+ i). The length ||p|| of p is n. We 
use abbreviations NWA and NBWA for nondetcrministic (Biichi) automata. 

We use synchronized rational (letter-to-letter) transducers [7] to define rela- 
tions P over S- words, i.e., P C U* x S* . Such transducers are simply NWA 
R over S± x U± 7 where U± := S U {±} and _L<^ S is a padding symbol (so 
that the NWA could take two input words of different length). More precisely, 
given two words w = a\ . . . a n and w 1 = b\ . . .b m over the alphabet E, we define 
a word w ® w' of length k = max{n, m} over alphabet S± x S± so that the 



likewise b[ = bi for i < m and _L for i > to). That is, the shorter word is 
padded with _L's, and the ith letter of w <S> w' is then the pair of the zth letters 
of padded w and w' . The binary relation "recognized" by the transducer R is 
the set {(w,w') G S* x E* : w ® w' G L(R)}. Such a relation is also called 
regular. We refer to such an automaton as a transducer over S* , since it can be 



ith letter 




where a[ is ai for i < n, and _L for i > n (and 



Algorithmic metatheorems for LTL over infinite systems 



5 



alternatively viewed as mapping words w G S* nondetcrministically into words 
w' so that w ® w' is accepted by R. 

Likewise we define transducers over finite A:-ary trees [7,12,34]. In the fol- 
lowing, we recall the definition for k = 2. A binary tree T = (D, r) consists of a 
tree domain (a finite prefix-closed subset of {0, 1}*) and a node labeling function 
t : D — > E. The notation T = T\ ® T 2 is used to refer to a tree over the labeling 
alphabet E\ similarly to the definition of w <E> w' . That is, the domain of T is 
Di U Z?2, and the labeling r : D\ U D 2 — > S\ is defined as t(u) — (01,02) so 
that di = Ti(u) if u G Di and _L otherwise, for i = 1,2. With this definition, the 
notion of tree transducers is defined similarly to the notion of word transducers, 
as a nondeterminsitic tree automaton working on T\®T 2 . Binary relations over 
trees defined that can be recognized by such transducers are called ( tree ) regular. 
In the sequel, we use NTA (resp. NTT) for tree automata (resp. transducers). 

We shall use the notations L(A) (or L(R)) for the language (or relation) 
accepted by automaton (or transducer) A (or R). 

Automatic presentations of transition systems We deal with infinite tran- 
sition systems that can be finitely presented by automata and transducers. A 
word-automatic presentation is 1? = (A; {-R a }aeACT} where A is an automaton 
over some finite alphabet E, and each R a is a transducer over S. This presen- 
tation generates an automatic transition system A($) = (S; {^ajaeACT"), where 
S = L(A) and -^ a := L(R a )(lS for each a G ACT. Tree- automatic presentations 
and transition systems generated by them are defined similarly except that A is 
a tree automaton and R a 's are tree transducers. 

Given a transition system (S; {^ a }aeACT") generated by a word or a tree- 
automatic presentation, each first-order (FO) formula <p(x) with one free variable 
(resp. ip(x,y) with two free variable) can effectively be converted into a word or 
tree automaton defining {s £ S | ip(s) is true} (resp. word or tree transducer 
defining {(s, s') G S x S : ip(s, s') is true}. This could actually be generalized to 
k free variables [7]. 

We denote by wAut p and tAut p the classes of word-automatic and tree- 
automatic presentations, respectively. In the sequel, our metatheorems will talk 
about subclasses C C wAut p or C C tAut p satisfying certain conditions. The 
following several conditions will be tacitly assumed for such C. First, it should be 
easy (i.e. in poly-time) to check membership in C. This condition has a standard 
complexity-theoretic explanation: checking whether the input encoding of an 
instance to a problem is valid should be easily doable. Secondly, we do not 
require these classes C to be isomorphism-closed, i.e., there possibly exist two 
automatic presentations $ € C and <G C generating two isomorphic transition 
systems A($) and A(i3'). In fact, asserting closure under isomorphism is too 
strong as it is undecidable to check isomorphisms for automatic systems [7] . 

LTL The syntax of LTL over ACT is 

ip, ip' := a (a e ACT) \ -up ip V p \ ip A tp' | X93 ipTJip'. 
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We shall use the standard abbreviations: Fip for trueUtp, G(p for -iF-up, and F s 
and G s for their strict versions: F s (p = XF95 and G s ip = -F a -xp. 

Given an w-word w G ACT", we define the satisfaction relation w |= <p in 
the standard way. We write [<pj for the set of all w G ACT" such that w \= <p. 

It is well-known [35] that there exists an exponential-time algorithm which, 
given an LTL formula <p, computes an NBWA A v satisfying L(A V ) = [<pj. 

Given a transition system S = (S, (^ a )aeACT) and a word u = a n aia 2 . . . G 
ACT", we say that wo G S realizes u if there is a sequence of Wo, w\, W2, ■ ■ ■ of 
elements of S so that Wi w i+ i for all i > 0. We then define the semantics 
of LTL formulae in the standard way: (S, Wo) \= <p iff every a>-word u G ACT" 
realized by wo satisfies (p. We write \pfg for the set of all u>o G S such that 
(S, wo) \= <p (where V means that every path starting in u> satisfies <p). We 
also write [<^]| for the complement of the set [-x^]^, i.e., for the set of wq that 
realizes at least one path satisfying <p. 



3 Metatheorems for LTL and its fragments 

Since LTL formulae are translated into Biichi automata, a starting point for us is 
a known metatheorem that gives a semantic condition which implies bounds (and 
structural properties) for recurrent reachability sets. We now define condition 
on a class C of presentations in wAut p (resp. in tAut p ): 



(CI) There exists an algorithm Aq which, given an input presenta- 
tion $ = (A; {-RalaeAcr} £ C of the automatic transition system 
A(#) = (5; {^ajaeACT), computes an NWT (resp. NTT) R+ rec- 
ognizing the transitive closure relation -^ + = (UoeACT ^«) + - 



Intuitively, (CI) asserts that the transitive closure relations of systems A(d) 
with $ G C are effectively regular. We denote the running time of Ac to be tA c ■ 
The following results state that under (CI), recurrent reachability sets can be 
computed with polynomial-time overhead. 

Theorem 1 ([34]). Fix any class C C wAut p (resp. C C tAut P/ ) satisfying 
(CI). Given an automatic presentation d G C and an NWA (resp. NTA) Aq, 
the set Reach 00 (A^) , L(Ao)) is regular, for which an NWA (resp. NTA) is com- 
putable in time polynomial in + ||^4o|| +^ c (|^|)- I n particular, if Ac runs 
in poly-time, then an NWA (resp. NTA) for Reach 00 (A("&) , L(Ao)) is poly-time 
computable. 



3.1 A metatheorem for LTL 

We now adapt Theorem 1 to produce a metatheorem for LTL. Consider a finite 
system T = (Q = {qo, . . . , q n }, 5), with 5 : Q x ACT — > Q. Given a presentation 
1? G wAut p of the system A(&) = (S C U* , {^ a }aeACT}, we define T ■ A(&) to 
be the automatic transition system (S"; {^Jogact) as follows: 

— S' := QS := {qs : q G Q, s G 5}; it is a regular language over SUQ. 
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— qw — q'w' iff q' G S(q, a) and w w' . 

It is easy to give an automatic presentation of T ■ A(&) and show that & is 
poly-time computable. For presentations -d G tAut p , we could define T ■ A(&) in 
a similar way (e.g. by defining the domain to be Q{S) = {q(T) : q G Q,T G S} 
where q(T) is the tree obtained by attaching q to T as a root). 

We now define another condition (C2) stating that the class C is closed under 
products with finite systems: 

(C2) iftfeC and T is a finite system then T ■ A(-d) G C. 

The following theorem is now almost immediate from Theorem 1 and the 
standard translation from LTL into Buchi automata. Intuitively it says that for 
automatic presentations satisfying both (CI) and (C2), for LTL model-checking 
the overhead (compared to tA c ) is polynomial in the automatic presentation and 
exponential in the LTL formula. In particular, if t Ac is polynomial itself, then 
LTL model-checking is polynomial in the size of the representation of the system 
and exponential in the size of the formula. 

Theorem 2. Fix any set C C wAut p (resp. C C tAvt p ) satisfying both (CI) 
and (C2). Given d G C and an LTL formula ip, the set ["'V'l^i?) * s re 9 u - 
lar, for which an automaton is computable in time polynomial in \\-d\\ + \\A\\ + 
t Ac (2°(MD x Thus, checking whether (A(d),v ) \= ip can be done in time 

polynomial in ||i?|| + \\v a \\ + t Ac (2°^^ x ||i?||). 

There are many examples of classes of automatic structures of interest in 
verification that satisfy condition (CI) (see, e.g., [34] for a list). So it is natural 
to ask whether having condition (CI) for a class of automatic presentations C 
implies having it for products of structures in that class with finite systems. 
While we shall see some examples of classes where this happens (e.g., pushdown 
systems), in general such an extension is impossible even in very simple cases, 
e.g., for single structures, as the result below shows. 

Proposition 3. There exist an automatic presentation $ satisfying (CI) and 
a finite system T so that in T ■ A{&) the reachability relation is not regular (in 
fact, not even recursive). 

So the applicability of Theorem 2 in full generality may be rather limited. We 
thus look at cases when conditions weaker than (C2) will allow us to conclude 
the decidability of model-checking. They will not apply to full LTL, but they 
will apply to some of its well-studied fragments. The distinguishing feature of 
these fragments is that formulae in them can be translated into special types 
of Buchi automata, whose graph structures are rather nice (essentially, almost 
DAGs). We next look at such cases. 

3.2 Metatheorems for LTL det 

We first recall the definition of the fragment LTLdet of LTL [27] . 

<P,<P' ■= P I X<^ | <p A ip 1 | (p A ip) V (^p A ip 1 ) | 

(p A (p)U(-'p A ip') | (p A ip)W(^p A ip'). 
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Here p is a boolean combination of ACT, and ipWip' is interpreted as the formula 
Gip V (<p\J<p'), i.e., the "weak until" operator. 

Formulae in this fragment can be translated into a special kind of automata 
called 1-weak NBWAs. Formally, a 1-weak NBWA A = (E,Q,5,q ,F) is an 
NBWA with a partial order Q x Q such that q' G S(q,a) implies q < q' . 
Intuitively, the partial order ensures that once A leaves a state q, it will never 
be able to come back to q. In other words, graph-theoretically A looks like a dag 
possibly with self-loops. 

It was shown in [27] that there exists a poly-time algorithm which, given an 
LTLdot formula <p, computes a 1-weak NBWA A^ v such that L(A^ V ) = [-up}- 
(The running time was not explicitly mentioned in [27], but one can easily check 
that it is polynomial). 

We now weaken the condition (C2) to the following: 

(C2') if 1? G C and T is a finite system that is 1-weak then T ■ A(S) G C. 

Combining Theorem 1 with the translation of [27], we may proceed as in the 
proof of Theorem 2 and obtain the following theorem. 

Theorem 4. Fix any set C C wAut p (resp. C C tAut P/ ) satisfying (CI) and 
(C2'). Given ■d G C and an LTLdet formula ip, the set 1~~«pIa(#) * s re 9 u ^ ar ! f or 
which an automaton is computable in time polynomial in + ||-4|| +tA c (IMI x 
Thus, checking whether (A(d),v n ) \= <p can be done in time polynomial in 

wn + \\vo\\+t Ac {y\\x\\n). 

We now show that decidability can still be obtained without assuming condition 
(C2') but by slightly strengthening condition (CI). Namely, we use a condition 
stating that the transitive closure can be computed not only for — > but also for 
all unions of — > a 's: 

(CI') there exists an algorithm Ac which, given an input presentation 
i3 = (As; {R a }ae act) G C of the automatic transition system 
A(d) = (5;{^ a } aeA CT) and each subset ACT' C ACT, com- 
putes an NWT (resp. NTT) R+ CT , recognizing the transitive clo- 
sure relation (UaeACT' ~^) + - 

In practice, (CI') is not much stronger than (CI); all our examples in the 
next section which satisfy (CI) also satisfy (CI'). In this case, LTLdot model- 
checking can be done in PSPACE assuming an oracle for tA c ; its running time 
is only exponential in the the size of the formula. 

Theorem 5. Fix any set C C wAut p (resp. C C tAut p J satisfying (CI'). 
Given a presentation & G C, and an LTLdet formula ip, checking whether 
(A(&),vq) |= <p can be done in time polynomial in ||$||, ||uo||, ^A c (||^||)> an d 
exponential in \\<p\\- Whenever C C wAut p , the space consumed by the algorithm 
is polynomial in ||t?||, ||«o||j *A c (||^||)j an ^ ll^ll- 
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3.3 Metatheorems for LTL(F S , G s ) 

Recall that in LTL(F S , G s ) we use operators F s and G s rather than U and X. 
It turns out that our conditions (CI) and (C2) imply bounds on LTL(F S , G s ) 
model-checking. We start with the following. 

Theorem 6. Fix any set C C wAut p (resp. C C tAut p J satisfying (CI) and 
(C2). Given a presentation d G C and an LTL(F S ,G S ) formula ip, checking 
whether (A(i3),v n ) \= <p can be done in coNP assuming an oracle for tA c - More 
precisely, checking whether (A(-&),vo) \£ <p can be done in nondeterministic time 
polynomial in + ||uo|| + tA c (|M| X \\$\\)- 

The proof of this result is based on a translated into 1-weak NBWAs extended 
with fairness constraints, which are conjunctions of formulae G s F s p, where p is 
a disjunction over action labels in ACT [31]. We have to extend translation 
results from [31] to obtain more precise information about the structure of the 
automata, and then use it to prove the result along the lines of the proof in the 
previous section. Details are in the appendix. 

Our second metatheorem for LTL(F S , G s ) uses only condition (CI) and pro- 
duces slightly higher, but still acceptable, complexity bounds. 

Theorem 7. Fix any set C C wAut p (resp. C C tAvt f ) satisfying (CI). 
Given a presentation i)eC, and an LTL(F S , G s ) formula <p, checking whether 
(A($),Vo) \= <fi can be done in time polynomial in ||uo||> *A C (||$||)> an d 

exponential in \\ip\\. 

3.4 A metatheorem for Presburger-definable systems 

In this subsection, we will make an extra assumption that the input presentations 
can be given by existential Presburger formulas. More precisely, we consider pre- 
sentations of the form f) = (ip(x); {ip a (x ,y)} a e act) , where x and y are fc-tuples 
of variables for some k G Z >0 and ip's some existential Presburger formulas. 
Such a presentation gives rise to the system A(&) = {S; {^ a }aeACT), where 
S = {a G N fe : (N,+) |= <p(a)} and {(a, b) G N 2fe : (N, +) |= <p a (a, ft)}. Let 

presAuTp denote the set of all such presentations. Automatic presentations for 
PREsAuTp could be given (cf. [7]). 

For sets C C presAut p (which, as before, need not be isomorphism-closed), 
we define a new semantic condition, which is essentially an adaption of (CI') 
to the class of Presburger-definable systems: 

(C3) there exists an algorithm Ac which, given an input presentation 
i? = (ip; {^alaeACT-} G C of the system A(i3) = (S; {^ a }aeACT} 
and a subset ACT' C ACT, computes an existential Presburger 
formula R + (x,y) which defines the transitive closure relation 

(UaGACT' — ¥ a) ■ 

We denote by tA c the running time of Ac in (C3). In addition, we require that 
the class C satisfy the following monotonicity condition: for every S G C every 
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a, b £ N fe satisfying a <b (i.e. inequality holds component- wise), if a — » a a + 5 
for some 5 £ Z k and a £ ACT, then b — > b + 8. This is a strong condition, but 
is still satisfied by any subclass of Petri nets. 

Theorem 8. Fix any monotone C C presAut p satisfying (C3). Given d £ C, 
vq £ N k represented in binary, and an LTL(F S , G s ) or LTLdet formula ip, check- 
ing whether (yl(i9),w ) ^ i> can ° e done in nondeterministic time polynomial in 

wn, \\v \\,t Ac (\\n) ^d \\<p\\ 

4 Applications 

In this section we apply our metatheorems from the previous section to obtain 
decidability and complexity results for LTL, LTL(F S ,G S ), and LTLdot model 
checking over specific classes of infinite systems. In some cases, we re-derive 
known results with asymptotically the same complexity bounds; in other cases 
we obtain new results. Our results are summarized in Table. 1. 

Pushdown systems (PDS). A pushdown system [9] is a tuple V = 
(ACT, r, Q, A) where r is a stack alphabet, Q a set of states, and A is a finite 
subset of Q x r x ACT x Q x r* . Let A a be the set of tuples (called "rules" ) in A of 
the form (q, a, a, q', w). Let A(V) be the transition system (Q x r*; {— > a }aeACT), 
where — » a := {((q,wa), (q' ,ww')) : (q,a,a,q' ,w') £ A a }. It is straightforward 
(and in poly-time) to give a word- automatic presentation of V (cf. [34]), and 
show that the class PDS of such presentations satisfy (C2). Furthermore, it is 
known [10,34] that PDS satisfies (CI) with polynomial running time. 

Combined with our results in the previous section, it follows that model 
checking LTL, LTL(F S ,G S ), and LTL dct are respectively in EXP TIME, coNP, 
and PTIME. It also follows that all these problems are in PTIME when fixing the 
formula. It was known (cf. [9]) that the complexity of model checking LTL over 
pushdown systems is EXPTIME-complete, and is PTIME for a fixed formula. 
On the other hand, the results for LTL(F S , G s ) and LTL det are new (in the case 
of LTL(F S , G s ) coNP-hardness can be derived from [32]). 

Prefix-recognizable systems (Pref-RS). A prefix-recognizable system (with 
states) V is a tuple (ACT, r, Q, A) where ACT, _T, and Q are defined as in 
pushdown systems, whereas A is a set of rules of the form ((q, U, V), a, (q 1 , V 1 )), 
where q,q' £ Q; a £ ACT; and U,V, and V are regular languages over _T 
given by NWAs. Let A(P) be the transition system S = (Q x _T*; {^ a }aeACT), 
where is the set of tuples ((q, uv), (q' , uv')) £ S x S such that, for some 
((<7, U, V),a, (q', V')) £ A a , we have u £ U , v £ V , and v' £ V. It is straightfor- 
ward (and in poly-time) to give a word- automatic presentation for V. 

Using Theorem 2, we can also rederive the known EXPTIME upper bound 
[22] for LTL model checking over prefix-recognizable systems (details are in 
the appendix). Furthermore, EXPTIME- hardness for model checking a fixed 
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LTLdct and LTL(F S , G s ) formula is obtained by reducing from the unreachabil- 
ity problem for prefix-recognizable systems, which has recently been proven to 
be EXPTlME-complete [18]. 

Concurrent pushdown systems (CPDS). A concurrent pushdown sys- 
tem (cf. [30]) is a tuple V = (ACT, r, Q, A , . . ., A N ), where each P t = 
(ACT, r, Q, A 1 ) is a pushdown system. Suppose that A(Pi) = (Q x r*; 
{^i,a}aer)- Then the transition system A(V) generated by V is (Q x (r*) N ; 
{^a}aer), where — > a := Ui=o "~ > i,a- Although concurrent pushdown systems are 
well-known to be Turing-powerful (so checking safety and liveness is undecid- 
able), [23,30] have shown that reachability is NP-complete if we consider runs 
of V with a bounded number k of "context-switches" (k part of the input). In- 
tuitively, a context of V is an uninterrupted sequence of actions performed by 
exactly one "thread" Vi- A context-switch occurs when V interrupts the execu- 
tion of a thread V% and resumes by executing a (possibly different) thread Vj. 
The context-bounded reachability for V is simply the problem of reachability 
restricted to executions of V with exactly k context-switches for any given input 
k. One could similarly define the context-bounded LTL model checking problem 
for concurrent pushdown systems by restricting the executions of V to those 
with exactly k context-switches for any given k. 

Using the results of [23, 30] and our metatheorems, we can show that context- 
bounded model checking LTL, LTL(F S , G s ), and LTLdct over concurrent push- 
down systems are respectively EXPTIME-complete, coNP-complete, and coNP- 
complete. If the formula is fixed, they are all coNP-complete. 

Discrete timed counter systems (RCM and d-RCM). Although verify- 
ing safety and liveness for general counter machines is undecidablc, it is known 
that these problems are decidable (cf. [14, 21]) when all the counters but one are 
reversal-bounded (only executions with a fixed number of reversals are consid- 
ered). We denote by RCM the class of such machines. The LTL model checking 
problem for RCM is also known to be decidable [14], but no complexity analy- 
sis was given for their algorithm. Furthermore, it was left as an open question 
whether the same result holds for such machines extended with discrete clocks 
(in the sense of [3]), for which reachability is known to be decidable [13]. We 
write d-RCM for the class of such machines. 

We answer this open question positively and give upper bounds for the cases 
with and without discrete clocks. Using our metatheorems in combination with 
a slightly refined version of the algorithms for computing binary reachability 
relations in [13,21], we can give an algorithm for model checking LTL (resp. 
LTLdct and LTL(F S , G s )) over RCM that runs in time exponential in the size of 
the machine and double exponential (resp. exponential) in the size of the LTL 
(resp. LTLdct and LTL(F S ,G S )) formula. Details of the construction and the 
analysis are in the appendix. 

For d-RCM, we have exactly the same upper bound complexity except that 
the algorithms run double exponential in the number of clocks. 
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Communication- free Petri nets (BPP). Communication-free nets (a.k.a. 
BPPs) [16, 28] are Petri nets where each transition has exactly one incoming 
arc (and, hence, "communication-free"). The LTL model checking over BPPs is 
known to be EXPSPACE-complete when only infinite traces are considered (cf. 
[28]). When finite traces are also considered, the problem is still decidable but 
no primitive recursive upper bound is known [28], since reachability for Petri 
nets could be reduced to this problem. 

In contrast, we could show that LTLdct and LTL(F S ,G S ) model checking 
for BPPs is coNP-complete even when finite traces arc considered. In fact, it is 
known that the transitive closure relations for BPPs are semi-linear [16]. Fur- 
thermore, one can then adapt the proof of [36, Theorem 4] to show that there 
exists a poly-time algorithm computing an existential Presburger formula defin- 
ing the transitive closure relation for a given BPP. Since any subclass of Petri 
nets is monotone, Theorem 8 (which also holds when finite traces are considered) 
implies that LTL(F S , G s ) and LTLdct model checking over BPPs are in coNP. 

Furthermore, a matching lower bound could be easily given for a fixed formula 
in LTL(F S ,G S ) and LTLdct by reducing from the non-reachability problem for 
BPPs, which is coNP-complctc [16]. 

Weakly extended PA processes (wPA). PA (cf. [26,28,31]) is a well-known 
process algebra allowing sequential and parallel compositions, but no commu- 
nication. It is a common generalization of BPP (with unary representation for 
numbers) and the class of pushdown systems with one state (a.k.a. BPA). It is 
known (cf. [28,31]) that LTL model checking over PA is undecidable. It is also 
known that decidability could be retained when restricting to LTL(F S , G s ) and 
LTLdct [31]. However, no upper bound to these problems are known. 

We can use Theorem 5 and Theorem 7 in combination with the encoding of 
PA and their binary reachability relations as tree- automatic systems (cf. [26, 34]) 
to give an exponential time upper bound for these problems. They are coNP- 
hard, which can be shown by a reduction from non-reachability problem for BPP 
[16]. The upper bound also holds when we consider weakly extended PA (wPA) 
[31], which are simply PA extended with weak finite control (i.e. 1-weak NBWA). 

Weakly extended ground-tree rewrite systems (wGTRS). A ground tree 
rewrite system (GTRS) (cf. [25,34]) over Z'-labeled trees is a finite set A of 
"rules" of the form (t, a, t') where t, t' G Tree(Z') and a G ACT. For a tree T and 
a node u in it, let T u be the subtree of T rooted at u. For a given t G Tree(I7), 
we write T[t/u] for the tree obtained from T by replacing the subtree T u by t. 
The GTRS A generates the transition system A(A) = (Tree(IT); {— > a }aeACT) 
where T ^ a T' iff there exists a node u in T and a rule (t, a, t') G A such that 
T u = t and T' — T[t'/u}. One could easily conclude that LTL model checking 
over GTRS is undecidable, using results of [25,31]. 

On the other hand, our results imply that decidability is retained when we 
restrict to LTL(F S , G s ) or LTLdet- This follows from the fact that (CI') is satis- 
fied by the class of automatic presentations of GTRSs (cf. [12, 34]). Therefore, we 
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obtain exponential-time algorithms for model checking LTLdct and LTL(F S , G s ) 
over GTRS, whose complexity becomes polynomial when the formula is fixed. 
We could also show that these problems are coNP-hard for non-fixed formulas. 

One can also extend these results to GTRSs with weak finite control, as we 
did for PA-processes. Details are in the appendix. 





LTL 


LTL(F S , G.) 


LTLdet 




Comb. 


Data 


Comb. 


Data 


Comb. 


Data 


PDS 


EXP 


in P 


coNP 


in P 


in P 


in P 


Pref-RS 


EXP 


EXP 


EXP 


EXP 


EXP 


EXP 


CPDS 


EXP 


coNP 


coNP 


coNP 


coNP 


coNP 


BPP 


X 


X 


coNP 


coNP 


coNP 


coNP 


(w)PA 


x (ud) 


x (ud) 


in EXP 


in EXP 


in EXP 


in EXP 


coNP-h 


coNP-h 


coNP-h 


coNP-h 


GTRS 


x (ud) 


x (ud) 


in EXP 

coNP-h 


in P 


in EXP 

coNP-h 


in P 


wGTRS 


x (ud) 


x (ud) 


in EXP 


in EXP 
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in EXP 


in EXP 


in EXP 


in EXP 


in EXP 


d-RCM 


in 2-EXP 



Table 1. A summary of combined and data complexity that we obtain. Here, x (resp. 
ud) means that the result cannot be obtained using our metatheorems (resp. undecid- 
able). Whenever written in bold, the results are new. Also, coNP-h means coNP-hard. 

5 How hard are these problems in general? 

Relevant to condition (CI) is the problem of checking whether the transitive 
closure relation of a given automatic presentation is regular, and the problem of 
checking whether a given transducer R' represents the transitive closure relation 
of another one R (over the same domain). We shall point out the degrees of 
undccidability of such problems in the arithmetic hierarchy. We shall then point 
out the degrees of undecidability of the model checking problems in the general 
case (i.e. over all word/tree automatic presentations), and compare this with 
the length-preserving case. We start with the problems related to "computing" 
transitive closure relations. 

Theorem 9. — Given two nondeterministic word transducers R and R' , 
checking whether R' is the transitive closure of R is II2 -complete. 
— Given a nondeterministic word transducers R, checking whether its transitive 
closure is regular is in Z3 and Il^-hard. 

We now address the degrees of undecidability for checking recurrent reacha- 
bility and model checking LTL, LTL(F S , G s ), and LTLdct over automatic tran- 
sition systems. Unlike the problem of reachability which can be shown to be 
^-complete (cf. [7,29]), checking liveness is highly undecidable: 
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Theorem 10. Recurrent reachability for both word and tree automatic transi- 
tion systems is S\-complete, and model- checking LTL, LTL(F s , G s ), and LTLd et 
for them are all III -complete. 

In fact, Theorem 10 could be shown to also hold when the general class of rational 
transducers is used (instead of synchronized rational). 

Finally, many examples in the "regular model checking" literature (cf. [2]) 
deal with the subcase of length-preserving synchronized rational transducers 
(i.e., w — > a w 1 would imply \w\ = \w'\). In this case, the LTL (resp. recurrent 
reachability) model checking problem is usually defined with respect to a regular 
set Init of initial states with either "existential" (resp. "universal") semantics in 
the following sense: there exists w G Init such that (resp. all w G Init satisfies) 
(A(i3), w) \= ip. [Note: when Init is finite, the model checking problems become 
decidable since then the set of reachable states from Init is finite.] In contrast to 
Theorem 10, we have the following proposition. 

Proposition 11. For automatic transition systems with length-preserving 
transducers, global recurrent reachability and LTL model checking are all 

— Uf-complete (when existential semantics is considered); 

— Ll\-complete (when universal semantics is considered). 

This result confirms the intuition that checking liveness is much easier when 
considering length-preserving transducers. 
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